CVE-2026-32757
Cross-Site Scripting in Admidio eCard Email Handler
Publication date: 2026-03-20
Last updated on: 2026-03-23
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| admidio | admidio | to 5.0.7 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-32757 is a moderate severity vulnerability in the Admidio open-source user management solution, specifically in its eCard feature for versions 5.0.6 and below.'}, {'type': 'paragraph', 'content': "The issue arises because the eCard send handler uses the raw POST parameter 'ecard_message' instead of the properly sanitized version when constructing the greeting card HTML for emails. Although the input is sanitized during form validation using HTMLPurifier, the code mistakenly uses the unsanitized input when generating the email content."}, {'type': 'paragraph', 'content': 'This flaw allows an authenticated attacker to inject arbitrary HTML and JavaScript into greeting card emails sent to other members, bypassing server-side sanitization.'}, {'type': 'paragraph', 'content': 'As a result, malicious content such as phishing links, fake forms, or tracking pixels can be embedded in emails, potentially deceiving recipients and crossing security boundaries from the web application into email clients.'}, {'type': 'paragraph', 'content': 'The vulnerability has been fixed in version 5.0.7 by ensuring the sanitized input is used when generating the email content.'}] [1]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'This vulnerability can impact you by allowing an authenticated attacker within the Admidio system to send greeting card emails containing malicious HTML or JavaScript to other members.'}, {'type': 'paragraph', 'content': 'Such injected content can be used for phishing attacks that appear legitimate because they come from a trusted internal system.'}, {'type': 'paragraph', 'content': "The attacker can embed fake forms, tracking pixels, or malicious scripts that may execute in recipients' email clients, especially if those clients do not adequately block such content."}, {'type': 'paragraph', 'content': 'This crosses security boundaries by affecting users outside the web application, potentially compromising confidentiality and integrity of communications.'}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability can be detected by identifying if your Admidio installation is running version 5.0.6 or below and if the eCard send handler is using the unsanitized $_POST['ecard_message'] value when sending greeting card emails."}, {'type': 'paragraph', 'content': "To detect exploitation attempts on your system or network, you can monitor HTTP POST requests to the eCard send endpoint (typically modules/photos/ecard_send.php) for suspicious or unexpected HTML or JavaScript content in the 'ecard_message' parameter."}, {'type': 'paragraph', 'content': 'Example commands to detect such activity might include:'}, {'type': 'list_item', 'content': "Using web server logs, search for POST requests containing suspicious HTML or script tags in the 'ecard_message' parameter, e.g., using grep: grep -i 'ecard_message=.*<script' /var/log/apache2/access.log"}, {'type': 'list_item', 'content': 'Using network monitoring tools like tcpdump or Wireshark to filter HTTP POST traffic to the eCard send URL and inspect payloads for injected HTML or JavaScript.'}, {'type': 'list_item', 'content': 'If you have access to the application database, query the stored eCard messages for suspicious HTML content that might indicate exploitation.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The immediate mitigation step is to upgrade Admidio to version 5.0.7 or later, where this vulnerability has been fixed.'}, {'type': 'paragraph', 'content': "If upgrading immediately is not possible, you should modify the eCard send handler code to use the sanitized input instead of the raw POST data. Specifically, change the code in modules/photos/ecard_send.php to assign the sanitized $formValues['ecard_message'] to the variable used for email content instead of $_POST['ecard_message']."}, {'type': 'paragraph', 'content': 'Additionally, applying encoding or escaping in the method that inserts the eCard message into the email template (ECard::parseEcardTemplate) can provide defense-in-depth.'}, {'type': 'paragraph', 'content': 'Restrict access to the photo module and eCard sending functionality to trusted authenticated users only, as the vulnerability requires authentication.'}, {'type': 'paragraph', 'content': 'Monitor outgoing emails for suspicious content and inform users to be cautious of unexpected or suspicious eCards.'}] [1]